Example - Universal Payload Analysis for Syslog

Description

One of the key new features in ExtraHop v4.0 is Universal Payload Analysis -- with this advanced feature, we now have the ability to understand previously unsupported protocols. New methods and events introduced into the Application Inspection Triggers grants you access to TCP and UDP payloads and enables the ability to parse those payloads. For more information on this feature, read the Universal Payload Analysis datasheet.

This bundle is an example of using Universal Payload Analysis to parse the Syslog protocol, store metrics for the activity, and chart that activity over time.

ICAP is short for Internet Content Adaptation Protocol. It is a lightweight HTTP-like protocol used by transparent proxies to adapt content between clients and servers. For more information on ICAP, see the Wikipedia article on the protocol..

Caveats

Keep in mind that this bundle is just an example of what Universal Payload Analysis can do.

We have not tested it at any amount of scale.

Installation Instructions

In the full product, import the bundle -- enable and assign the trigger and pages to whatever devices you'd like to monitor for Syslog over UDP or TCP Activity. Once some Syslog traffic traverses the network, the chart on the 'UPA - Syslog' pages and 'Syslog (UPA)' dashboard should show activity.

You may need to edit the trigger to make sure the network ports for Syslog match the ones in which your environment is using. Go to Settings, click Triggers, click on the Syslog UDP Payload Analysis and/or the Syslog TCP Payload Analysis trigger. Under the Configuration tab, click the Show advanced options button. Set Server port min and Server port max to match your environment.